Tailscale's Tailnet Lock Explained

Added: 2026-05-12

[00:00:01]Well, welcome in everybody. I'm joined by Alex Chan, who is one of, well, are you an engineer, Alex?

[00:00:08]I think officially my title is member of technical staff because engineer is a protected term in Canada.

[00:00:15]But yes, most people would call me a software developer or software engineer in Tailscale's developer experience team.

[00:00:21]Right, words on keyboard and computer goes brr, basically.

[00:00:26]Yes. All right. Well, today we're going to talk about Tailnet Lock, which is one of the most underrated features of Tailscale I think that we have.

[00:00:34]It's going to be a fairly low key chat between the two of us talking about what Tailnet Lock is, what you might want to use it for.

[00:00:40]And we might even get into some demo stuff a little bit later on.

[00:00:45]So, yeah, let's start with that. Let's start with what is Tailnet Lock?

[00:00:51]So Tailnet Lock is a feature that exists in a sort of family of features we have in Tailscale for controlling what happens in your Tailnet.

[00:00:59]So at the most permissive end, you have the sort of open door policy.

[00:01:03]You allow anybody who's a member of your email domain to join your Tailnet and you allow them to add whatever devices you like.

[00:01:09]And then we have features like user approval and device approval, which let you control who is allowed to join your Tailnet and what devices they are allowed to add.

[00:01:18]And then we have the Tailscale policy file, which controls what devices are allowed to do what and connect to each other once they've joined your Tailnet.

[00:01:27]So why would anybody want to use something like Tailnet Lock? What are the kinds of scenarios that it's protecting against?

[00:01:34]So Tailnet Lock protects against the scenario where the Tailscale control plane is malicious or compromised.

[00:01:42]Device and user approval are mediated through the Tailscale control plane through our admin console.

[00:01:48]So you log into login.Tailscale.com and then you can choose whether to approve or deny users and device in your Tailnet.

[00:01:56]But that means that if our control plane were to be compromised or we were to become malicious, we could potentially start approving devices on your behalf.

[00:02:04]So Tailnet Lock moves that trust boundary out of our admin console and onto your devices.

[00:02:10]And so only the owner of the Tailnet is allowed to choose which devices are actually allowed to join.

[00:02:18]And the Tailscale control plane can relay those decisions, but it can't add devices to your Tailnet for you.

[00:02:25]So it's a question of moving the trust model around of being like, right, well, today by default, in fact, probably 99% of our customers trust the Tailscale control plane's ability to be like the source of truth, I suppose, in like what can and cannot get added to the Tailnet.

[00:02:45]But Tailnet Lock, I suppose, is there to mitigate the risk of the Tailscale being some kind of a threat vector.

[00:02:53]I always think about Tailnet Lock and wonder, like it's one of those features that's really good that it exists.

[00:03:00]And I'm very glad that it does. But like how likely of a scenario are we talking about here?

[00:03:06]Hopefully, fairly unlikely. We have a lot of... Well, it feels like hubris to say it could never happen because that's how it ends up happening next week.

[00:03:16]But we have fairly strong internal controls to prevent unauthorized modification of Tailnets, to control access to customer information.

[00:03:26]We run Tailscale ourselves internally, so a lot of staff who can't do that, who shouldn't be modifying customer data don't even have access to that.

[00:03:36]So for example, you mentioned I'm on our engineering team. I don't have permission to make a lot of those changes to Tailnets because it's not to customer Tailnets, because it's not something I should be doing on a regular basis.

[00:03:47]Those permissions are only extended to our support staff who are making modifications on behalf of customers.

[00:03:53]So hopefully it's fairly unlikely. But it would be hubris to say that it could never happen.

[00:04:01]And so really, once you've sort of thought about the Tailnet Lock model, it essentially means that only trusted nodes can join the Tailnet.

[00:04:08]And we can use this in conjunction with another feature of device approval.

[00:04:13]And those two features kind of work hand in hand, really.

[00:04:16]So a typical company might only allow devices to be... So I'd log into Tailscale on my laptop, so I get a new laptop from work.

[00:04:25]And I connect it to my company Tailnet, but it needs manual approval. But Tailnet Lock takes it a step further than that even.

[00:04:34]Yes, a Tailnet Lock is... Tailnet Lock is sort of an extension of device approval.

[00:04:38]You can't run the two features at the same time.

[00:04:41]But I sometimes refer to it as device approval with teeth.

[00:04:47]Because with device approval, it's anybody who can access your admin console, who has admin permissions, can go in and approve device, add them to your Tailnet.

[00:05:01]Whereas with Tailnet Lock, you need to have access to a trusted signing node.

[00:05:05]So this is a special node in the Tailnet, has special cryptographic keys.

[00:05:09]And then only people with access to those nodes are able to approve nodes in your Tailnet.

[00:05:14]And so you'd hope that access to those would be more locked down than access to your admin console.

[00:05:20]So how does it work under the hood? How does Lock... How does Tailnet Lock actually work?

[00:05:26]So every node in a Tailnet has a public-private keypad. We call this the node key.

[00:05:30]This is the key that's used to secure the WireGuard section between peers.

[00:05:35]And when you enable Tailnet Lock in a network, you designate a set of trusted signing nodes.

[00:05:42]And these nodes have a second public-private keypad, which is the Tailnet Lock key.

[00:05:47]And the public key is distributed to all of the nodes in the Tailnet.

[00:05:50]And then these signing nodes can sign the node key of any node in the Tailnet.

[00:05:56]And that node key signature also gets distributed to all of the nodes through the Tailscale control plane.

[00:06:03]So if a node wants to know, do I trust this node? Am I allowed to connect to it?

[00:06:08]It can look at the node key and look at the node key signature.

[00:06:12]And it can check if that node key signature comes from one of these trusted signing nodes.

[00:06:16]And if it does, great. It's allowed to connect with that device.

[00:06:21]And if it doesn't, if that node key isn't valid, if the node key signature isn't valid, it's not allowed to connect to that device.

[00:06:29]And those Tailnet Lock signing keys never leave the signing nodes.

[00:06:34]So they're never sent to Tailscale. They're never shared with other nodes in the network.

[00:06:37]So you can only create one of those node key signatures if you have access to that trusted signing node.

[00:06:45]And so I presume this means by design, if you lose those signing keys, you can't add any more nodes to the Tailnet. What happens then?

[00:06:53]So when you enable Tailnet Lock, we create what's 10 disablement secrets.

[00:06:59]So these are secrets that you can store separately in, for example, a password manager or a fire safe.

[00:07:03]And you can use these secrets to disable Tailnet Lock for your entire Tailnet.

[00:07:08]And then you could choose to reinitialize it.

[00:07:11]When you enable Tailnet Lock, you can also optionally choose to share a disablement secret with the Tailscale support team.

[00:07:18]So then you could open a support request and say, hey, I've lost my Tailnet Lock keys.

[00:07:22]I need to disable Tailnet Lock for their Tailnet. And the support team can do that on your behalf after verifying that you own the Tailnet.

[00:07:30]But that's completely optional. Some customers feel comfortable sharing that secret.

[00:07:34]Other customers would rather hold on to all of the secrets themselves and accept that there is a risk.

[00:07:39]You could be unable to add nodes to your Tailnet if you lose those secrets.

[00:07:43]Interesting. So it's kind of like the iCloud two factor model or like a FileVault encryption model where like you've got your recovery key that you can choose to share with Apple or not. So your iCloud can reset the encryption. Interesting.

[00:07:58]So these signing nodes, are they just normal Tailscale nodes or are they special things?

[00:08:06]Like how do you, what are they? What are these signing nodes?

[00:08:10]So signing nodes are just regular nodes in your Tailnet that the nodes in your Tailnet know to trust as signing nodes.

[00:08:16]So then the question becomes, well, how do you know who the trusted signing nodes are?

[00:08:21]If we could just say, oh, this node is now trusted to sign things, that sort of undermines the security model.

[00:08:28]So we extend the signing concept to the signing nodes themselves.

[00:08:33]So there's something, Tailnet Lock introduces something called the Tailnet Key Authority.

[00:08:38]And this is a list of who are the trusted signing nodes? What are their Tailnet Lock keys? Which keys should you trust?

[00:08:44]And this forms a blockchain. It's a cryptographically signed series of messages saying, you should start trusting this signing node, stop trusting this signing node, start trusting these two signing nodes.

[00:08:55]It tracks all of the changes made to that list of signing nodes over your time using Tailnet Lock.

[00:09:01]So you have to trust us to distribute that initial seed message of the Tailnet Key Authority to all of your nodes.

[00:09:07]But once you've done that, all subsequent updates will be signed by your signing nodes.

[00:09:15]And so we can't make any further changes.

[00:09:18]An actual bonafide use for blockchain. We finally found one.

[00:09:22]Indeed. Indeed. But we don't burn the entire world to make Tailnet Lock work, which is nice.

[00:09:29]Yeah, good. So you have a trusted ledger of basically different nodes across the blockchain to say, right, this person approved this node at this time. So that makes auditing probably happy as well.

[00:09:43]Yeah, it is. Yeah, it is. Certainly. So there you can see exactly when particular nodes signing nodes were added or removed.

[00:09:53]It is quite a useful feature for auditing. I'll say, well, we know exactly when these particular nodes were added to the Tailnet Lock and when these nodes were trusted as signing nodes again and again with that cryptographic security and not just you can only generate those cryptographic signed messages if you have access to the Tailnet Lock keys that signed it.

[00:10:15]So it's not something so if you it's not something that we could falsify or fake, you know, it's a hard it's cryptographically provable audit trial.

[00:10:24]Interesting. OK, now there is a white paper that you've linked in the show notes here.

[00:10:29]We'll put in the description down below talking about the deep cryptographic details of how this all works.

[00:10:36]Yeah. So we published a white paper which describes the cryptographic detail, the cryptographic implementation in more detail.

[00:10:42]Although a lot of our client code is open source, including all of the pieces of Tailnet Lock, that's not always the most accessible way to understand what Tailnet Lock is doing.

[00:10:52]It's also not necessarily get you know, there's the implementation, the design and the white paper is the design so people can read it in a really digestible form and understand exactly what Tailnet Lock is meant to be doing and satisfy themselves.

[00:11:04]It is cryptographically sound and then you can go and read our source code and understand, OK, the source code matches the implementation.

[00:11:13]It's doing the correct thing. But the white paper is there are sort of the the more human readable version, I suppose I would say.

[00:11:20]Now, I think we've we've covered sort of the architecture of Tailnet Lock, what it's for, why you might want to use it.

[00:11:26]It's probably time we went on to a demo portion now, right?

[00:11:29]Yeah, let's do that. Let's go.

[00:11:32]OK, so let's look at a simple demo of how Tailnet Lock works.

[00:11:36]So on the left hand side, I've got three nodes running. We're going to run some while using the Tailscale CLI.

[00:11:41]We're going to run some commands on there in a minute. And on the right hand side, I have my tailnet.

[00:11:46]So this is just a brand new tailnet that I've created that has currently has three nodes in it.

[00:11:51]It's using the default ACL. It's not got user or device approval enabled.

[00:11:55]It's just a brand new tailnet.

[00:11:59]And all three of these devices right now are able to connect to each other.

[00:12:04]So if I run if I switch to one of these nodes, for example, I run Tailscale ping node two.

[00:12:10]The Pong comes back because all three of these nodes are able to connect to each other.

[00:12:15]So now let's enable Tailnet Lock and see how that affects the nodes in the tailnet.

[00:12:20]So to enable Tailnet Lock, I select settings.

[00:12:23]Then I select device management because Tailnet Lock is a device related feature.

[00:12:29]And then I select enable Tailnet Lock.

[00:12:34]So I'm now presented with this Tailnet Lock configuration screen.

[00:12:38]The first step is to choose which nodes I want to use as my signing nodes.

[00:12:42]So in this case, I'm going to choose node one and node two just to keep things simple.

[00:12:49]This is just the initial selection.

[00:12:50]So it is possible to change what Tailnet Lock signing nodes are using after the fact.

[00:12:55]And any changes are recorded in the Tailnet Key Authority with that nice cryptographic blockchain that we talked about earlier.

[00:13:01]So then I configure some of my disablement secrets.

[00:13:04]So these are those kind of like that iCloud recovery code.

[00:13:08]These are the secrets that allow me to disable Tailnet Lock if I lose access to all of my signing nodes.

[00:13:13]Or indeed if I still have access to my signing nodes, these disablement secrets are what disable Tailnet Lock.

[00:13:19]And I can choose whether to send the disablement secrets to Tailnet Support or not.

[00:13:24]So if I send it, they would be able to help me recover the tailnet if I lose the secret later.

[00:13:29]If not, if I lost all of the secrets and I lost all of my signing nodes, I'd be completely on my own.

[00:13:35]Entirely up to you.

[00:13:36]What do you think we should do in this case, Alex?

[00:13:39]Oh, I think we're going to be just fine today. I trust, in Alex I trust.

[00:13:44]Literally.

[00:13:45]So we're not going to send the disablement secrets to Tailscale Support.

[00:13:48]Okay. So then we're given this lock init command to run on one of our signing nodes.

[00:13:55]And so this says, initialize Tailnet Lock, generate 10 disablement secrets.

[00:14:01]And then these two public keys are the Tailnet Lock public keys of our two signing nodes.

[00:14:06]So I'll copy this command. I will run it on node one.

[00:14:13]And now it initializes Tailnet Lock and it prints these 10 disablement secrets here.

[00:14:18]So it's really important to keep these secured because these would allow somebody to disable Tailnet Lock in your tailnet.

[00:14:24]Print them out and put them on a sticky down the bottom of your monitor, right?

[00:14:29]Exactly. That's the secure way to do it.

[00:14:31]Exactly. I can trust you not to share this with anybody, right, Alex?

[00:14:34]Yeah, no, they definitely won't end up on YouTube either.

[00:14:37]Brilliant. Perfect. Okay. So returning to the console, it now says Tailnet Lock is enabled.

[00:14:43]And if I switch back to my machines tab, we'll see that I still, that two of my nodes now get this signing node label.

[00:14:51]This machine can sign new nodes to approve that access to the Tailnet.

[00:14:54]And the third node is not a signing node, but it's still connected to the Tailnet.

[00:14:59]So when you enable Tailnet Lock, we automatically sign all of your existing nodes so you don't lose any connectivity.

[00:15:06]So we're at the point here where I want to add my Pixel device to this Tailnet.

[00:15:10]And there's a couple of steps we need to do.

[00:15:12]First of all, Alex is going to have to invite me as a user into this Tailnet. So let's do that first of all.

[00:15:19]Yeah. So to invite Alex, I go to the users tab, I invite users, and then I can either send you an invitation link or I can invite you via email.

[00:15:29]So I'm going to type in your email address here.

[00:15:35]Scales plural, right? Correct. Okay. All right. So I'll invite you to the Tailnet.

[00:15:42]Okay. Then momentarily, I will receive an email with that invite.

[00:15:46]And what that will do is it will add me to the list of users in Alex's TS JustWorks Tailnet.

[00:15:52]So as you can see here, I've got an email that's just popped in saying, do you want to join Alex's Tailnet?

[00:15:57]Yes, I do. Let's click on the join button right here and sign in with my typical OAuth flow with Google that we do in all of these videos on the channel.

[00:16:06]And then I click the button here that says join Tailnet. Now this says you need to be approved, but this is not Tailnet lock in action.

[00:16:14]That's coming shortly in a moment. What this is, is simply Alex saying, I can only allow users to join my Tailnet if they're approved.

[00:16:50]Okay.

[00:16:51]So now this is where I am, you know, pretending to be corporate employee number 101 and I just received my new work phone and I want to log it into the company Tailnet.

[00:17:01]So that is a separate step from logging in or being approved as a user.

[00:17:06]So I'm going to connect my client device now, which happens to be a pixel eight that I have in my hand right here.

[00:17:10]I'm going to click the login button in the Tailscale client in Android. It's then going to use my OAuth flow again to the Google sign in that we did.

[00:17:21]If I click on TS just works Alex C and connecting to that tail net, you will see here that it says you are, what's the phrasing?

[00:17:29]This node is locked out. It will not have connectivity until it has been signed.

[00:17:34]Yeah. So if I reload my machines page now, I see your pixel eight. I see that it's connected, but it's got this locked out red badge in my list of devices.

[00:17:45]So I can, as an admin, I can click on this. I can click on your device and we get this orange warning saying it's locked out by tailnet lock.

[00:17:52]It can't access the network until it's signed by trust to tell it lock key. So let's click this orange sign machine button.

[00:18:01]The instructions in sign machine dialog that pop up will tell you to do something on one of your sign in nodes.

[00:18:07]And this is a really important feature of telnet lock. There is no way for the admin console to unilaterally sign a device.

[00:18:13]It can only tell you to go and do that step somewhere on a signing node. That's the whole point of telnet lock, that you have to have access to signing nodes to do the signing process.

[00:18:23]So you can sign it using a Mac or a Windows desktop client. You can sign it using an iPhone or an iPad.

[00:18:31]We don't support Android yet, but we are working on it. Or we can sign it using the CLI.

[00:18:37]So this is Tailscale CLI command that I can copy. And it includes the node key and that's the node key of your pixel device.

[00:18:45]And so when I run this on a signing node, it will create the node key signature for that node key.

[00:18:50]So let's copy and paste that into here. And then I will run that command.

[00:18:57]And that will succeed. And now the admin console says, signing complete. This machine can now connect to your telnet.

[00:19:03]It's got a nice green happy status. The lockdown warning is gone. And hopefully your pixel device is now cleared for the morning and is fully registered member of the telnet.

[00:19:14]And so with that, my connectivity from my phone here is now established to the rest of my telnet.

[00:19:19]And I'm going to validate that by pressing and holding here and pressing ping. And it's going to make a direct connection to one of the other nodes in the telnet that Alex has set up for me.

[00:19:28]And so that's it. Now I have a just a normal Tailscale experience from this point on as a user.

[00:19:34]I don't need to care or even really think too much about the rest of the Tailscale lock process.

[00:19:39]But what it gives you as an admin is just that extra layer of warm and fuzziness and security that things can only join your telnet when you explicitly allow them.

[00:19:50]And more importantly, in this case, cryptographically sign them and permit them to do so.

[00:19:55]So telnet lock has been around for a little while now. We released it to generally available status last year.

[00:20:02]Yeah, in June last year, we made it generally available after a beta period.

[00:20:06]And we got some really useful feedback from customers during that time. And now it's generally available to anybody who uses Tailscale with the personal, personal plus or enterprise plans.

[00:20:16]And so if you have any questions about telnet lock, you can of course reach out to our wonderful support teams.

[00:20:20]That's available to all Tailscale customers, personal or paid customers.

[00:20:26]I want to say a big thank you to Alex for joining me today. Two British Alexes on the channel at the same time.

[00:20:31]It's a, like the universe is colliding, I swear, you know.

[00:20:35]But makes it easy to remember my name. Thanks for having me, Alex.

[00:20:40]Absolutely. All right. Until next time. Thank you. Bye bye.